Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/01"
3integration = ["o365"]
4maturity = "deprecated"
5deprecation_date = "2025/01/17"
6updated_date = "2025/01/17"
7
8[rule]
9author = ["Elastic"]
10description = """
11Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
12minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
13obtain unauthorized access to user accounts.
14"""
15false_positives = [
16 """
17 Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
18 positives.
19 """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts"
26note = """This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d)."""
27risk_score = 73
28rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
29severity = "high"
30tags = [
31 "Domain: Cloud",
32 "Data Source: Microsoft 365",
33 "Use Case: Identity and Access Audit",
34 "Tactic: Credential Access",
35]
36timestamp_override = "event.ingested"
37type = "threshold"
38
39query = '''
40event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
41event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1110"
49name = "Brute Force"
50reference = "https://attack.mitre.org/techniques/T1110/"
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
57
58[rule.threshold]
59field = ["source.ip"]
60value = 25
This rule has been deprecated in favor of Attempts to Brute Force a Microsoft 365 User Account
(26f68dba-ce29-497b-8e13-b4fde1db5a2d).
Related rules
- Possible Consent Grant Attack via Azure-Registered Application
- AWS IAM Brute Force of Assume Role Policy
- AWS IAM User Addition to Group
- Rapid Secret Retrieval Attempts from AWS SecretsManager
- AWS IAM User Created Access Keys For Another User